1

Consider a normal PKI encryption flow - hash the plaintext, then encrypt the hash with the private key of the sender and then encrypt it with the public key of the recipient. All this is good - and I am good even with the decryption steps taken by the recipient.

I still don't understand how the recipient gets the plaintext from the hashed ciphertext. The recipient can easily 'decrypt the hashed plaintext'. But then what - all you are left with is a hashed plaintext. There is no way to un-hash it. How does the recipient retrieve the plain text message from the hashed message?

user2736158
  • 111
  • 2
  • Is https://security.stackexchange.com/questions/124555/why-does-pki-use-a-hash-function helpful? – SamG101 Jan 20 '20 at 19:42
  • It's impossible to get plaint text from the hashed ciphertext. Show us the article where you read that. – mentallurg Jan 20 '20 at 20:44
  • It only partly helps - 'Adding in a hash to the process stops that kind of attack because you've also got to check what the hash pre-image of the modified ciphertext is," - I get this part. What I don't get is how does one retrieve plaintext once the hash is verified. Hashes are ONE WAY only - once hashed, a message cannot be unhashed. Cheers – user2736158 Jan 20 '20 at 21:35
  • @mentallurg - that's exactly my point. If you start with plaintext, one way hash it - then encrypt the hashed payload, how the heck do you ever get the plaintext payload back?? How would a recipient ever read the plaintext data after decryption? – user2736158 Jan 20 '20 at 21:47
  • @user2736158: I said it's impossible. You don't need knowledge of cryptogtaphy for this. Suppose you have a video file of 1 GB size and create a hash for it that consists of 64 bytes. It is impossible to obtain from 64 bytes a video of 1 000 000 000 bytes. – mentallurg Jan 20 '20 at 21:53
  • @user2736158: I would suggest you tell us what article or book have read or in how did you come to that idea about hash. – mentallurg Jan 20 '20 at 21:57
  • 1
    If anyone tells you that something is "encrypted with a private key" you can be certain that they have some serious misconceptions about cryptography. – Maeher Jan 20 '20 at 22:26
  • Here is a simple article outlining basic PKI steps. https://medium.com/coinmonks/a-laymans-explanation-of-public-key-cryptography-and-digital-signatures-1090d4bd072e

    https://www.venafi.com/education-center/pki/how-does-pki-work

     – user2736158 Jan 20 '20 at 22:36
  • @user2736158: A few quotes from Venafi: 1) Asymmetric encryption uses two keys to encrypt plain text, both a public key and a secret key. 2) SSL ... Cryptography relies heavily on PKI security. No comment ;-) – mentallurg Jan 21 '20 at 00:02

1 Answers1

6

Signature generation is not encryption with the private key. Still, the basic flow of what you describe is correct for signature generation. However, the verification step is where everything derails.

As indicated in the comments, it is impossible to reverse a cryptographic hash. However, for signature verification, it is assumed that the verifying party knows the signed message M. The verifying party can then re-calculate the hash and use that as input for the rest of the verification procedure. So if the verifying party doesn't have the message M then you simply need to send it together with the signature.

See for instance step 2 in RSA signature verification specified for the PSS signature scheme:

Input:

      M      message to be verified, an octet string
      ...

and then later:

 ...
 2. Let mHash = Hash(M), an octet string of length hLen.
 ...

The verification procedure may indeed involve retrieving the original hash and perform comparison. However, other signature verification functions such as the verification function of ECDSA may simply require the re-calculated hash as input for the verification function. So in that case the original message hash isn't even retrieved from the signature.

There are schemes that perform message recovery. A few of those schemes are outlined in ISO/IEC 9796-2: Digital signature schemes giving message recovery. However, they are not often used anymore. In that case the message itself - or at least part of it - is included with the hash, the message is still not retrieved from the hash.

Remember that signatures do not provide message confidentiality. If you also want to keep your data secret then you should encrypt the data and signature over the data.

Community
  • 1
Maarten Bodewes
  • 92,551
  • 13
  • 161
  • 313
  • Now - that makes some sense. Signature verification - I am okay with - compare the hashes. So - if I understand what you are saying - there is no way to get to the plaintext from the hashed message (which was part of my original question). You would need to actually send the plaintext message along with the hashed message. That's all I was trying to confirm. Thanks – user2736158 Jan 21 '20 at 15:09